Enabling every event for exfil can produce an exceedingly large amount of traffic (think all file io, all network, all registry etc).

Managing this requires a few different mechanism.

First of all, if you leave the default exfil profiles enabled, you should never have to worry about any of the following.

LimaCharlie attempts to process all events in real-time. When it falls behind, the events get enqueued, up to a certain limit.
If that limit is reached (as in the case of a long, sustained burst, or enabling all event types all the time), the queue gets
eventually dropped and you may lose events. In that case, an error is emitted to the platform logs.

Seeing those errors should be a sign you need to do one or more of the following:

Reduce the events you select.

Reduce the number of D&R rules you run or their complexity.

Adopt a more selective subset of the events you select by creating Watch Rules that bring back only the events with the specific values you need.

Enable the IR mode (more on this below).

Before the queue gets dropped, LimaCharlie attempts to increase performance by entering a special mode we call "afterburner".

This mode tries to address one of the common scenarios that can lead to large influx of data: spammy processes starting over and over again. This
happens most often in situations like during building of software where, for example, devenv.exe or git.exe can be called hundreds of times
per second. The afterburner mode attempts to de-duplicate those processes and only process each one once through the D&R rules and Outputs (storage).

The afterburner mode does not address all possible causes or situations, so another tool is available, the "IR mode". This mode is enabled by tagging
a LimaCharlie sensor with the tag ir. The goal is to provide a solution for users who want to record a very large number of events, but do not need to
run D&R rules over all of them. When enabled, the "IR mode" will not de-duplicate events, but will only run D&R rules over the following event types:

NEW_PROCESS

CODE_IDENTITY

DNS_REQUEST

NETWORK_CONNECTIONS

This gives you a balance between recording all events, while maintaining basic D&R rule capabilities.